Policy | Security | Investigation

asset

June 15, 2009

As litigation and other requests for e-mail from backup tapes grow more frequent, an enterprise may be wise to restore, consolidate and archive all of its old e-mail held in backup.

Historically organizations did not think of e-mail as an asset worthy of preservation. They did not archive it, though copies would end up in network backup.

But experience has taught that e-mail evidence can be critical to defense of a lawsuit or enforcement of a contract. Alternatively its disclosure might be required under a subpoena (see definition below), a court order, an administrative summons, an IRS tax audit or a freedom of information act request (FOIA). Further, e-mail might be needed in an investigation (led internally or by outside criminal prosecutors) of a bribe, a kickback, an overcharge, tax evasion or a embezzlement of money, or it might be needed for an audit of alleged misallocation of funds.

Greg Smith of Messaging Architects observes that repeated requests for e-mails from backup can warrant a change of thinking in the IT department. “While most backup software deals very efficiently with individual electronic records, it cannot provide the same level of access to email. This is because enterprise email exists as a record within a database (such as for Groupwise or Microsoft Exchange). The database must be restored in its entirety and searched in its entirety in order to ascertain the contents of the database. With database sizes exceeding 100GB and scores if not hundreds of tapes, the cost to restore and search the tapes can be considerable. Recovering records for selective users and dates may satisfy the current discovery requirement, but with each successive lawsuit, or changes in discovery parameters for an existing lawsuit, restoration from tape can become a recurring financial liability.”

Greg continues, “The practical solution is to remove the information from tape permanently and place it in an electronic records format where information can be retained and managed as individual records and not conglomerates of information. In such a format, individual email records can be sorted by user or date.”

Restored records can be archived in an open (non-proprietary) format, such as XML, which enables searchers to tap an ever-expanding array of search and forensics tools. XML may or may not qualify as "native format" as that term is sometimes used in court decisions, though XML may be a more useful format than whatever the native format was.

–Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, experts in e-discovery and consultants in e-mail investigations.

Post Script What is a subpoena? A subpoena is a legal demand that someone turn over information or evidence. Commonly the laws of litigation enable a party to subpoena other parties for records or other evidence. Sometimes the law also invests the power to subpoena in an official who conducts investigations, such as a government auditor or an inspector general. If a party abuses the power to subpoena, by demanding irrelevant records or by issuing a demand with no regard for the cost of compliance, a court may sanction the issuer of the subpoena.

October 11, 2008

Departure (dismissal) of an employee does not justify destruction of his e-mail records stored on employer equipment. Those records are not the property of the employee or (normally in the U.S., with some qualifications) the vessel of his privacy. The records are an asset of the employer, showing what the employee did in his capacity as an employee and agent of the employer and how he was supervised.

In our changing economy, employers are learning how to get the same productivity with fewer people. As they let some employees go, the email records of those employees are part of the employer's valuable institutional memory.

Wasting Manager Time

A manager is wasting her time if she paws through a departing employee’s e-mail to decide what to keep and what to destroy (delete). It is better just to keep the e-mail, consistent with the retention and privacy practices generally applicable for all employees.

Email is an Asset of the Enterprise

E-mail records memorialize intellectual property development by employees (such as an inventor or engineer), and they record when and under what conditions trade secrets are shared with business partners. In intellectual property (IP) disputes, proving the time and date that particular events transpired is essential. The beauty of email records is that every message is stamped with time and date.

Today, e-mail records are critical to many investigations and disputes; they are even critical under search warrants, where law enforcement seizes records under court supervision. In Jane Doe v. Norwalk Community College (a sexual harassment case), the court sanctioned a college for destroying electronic records of a suspect teacher after he left the college. The same could happen to any educational institution (public or private . . . higher, secondary, primary, K-12).

E-mail records show what commitments employees did and did not make on behalf of the employer. In Cloud Corp. v. Hasbro, 314 F.3d 289 (7th Cir. 2002), employee e-mail effectively modified a paper-written contract that said it could not be modified except by a “signed writing”. E-mail can be a legally-binding “signed writing” that memorializes the employer’s rights and responsibilities under contracts.

Federal Sentencing Guidelines

E-mail records showing day-to-day education and supervision of employees are consistent with the expectations of the Federal Sentencing Guidelines. The Sentencing Guidelines are the framework within which federal judges select penalties for convicted criminals. If a criminal happens to be an enterprise, the Guidelines call for leniency where the enterprise had taken steps to prevent and mitigate crime by employees. In other words, bad employees might go to jail, but their not-so-bad employer might avoid stiff criminal penalties.

Under the Sentencing Guidelines, the steps the employer must take include establishing and promoting an employee ethics program and then monitoring and disciplining employee conduct. To show that an employer did this, electronic mail records (ESI) can be key evidence. They can document regular education, supervision and discipline of employees.

Update: The Federal Sentencing Guidelines are proposed to be amended so as to place more emphasis on complete record retention.

Policy?

So precisely how long should employers keep email records? There is no one-size-fits-all answer. I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.

In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.

P.S. Employers may believe that by deleting email they are preventing a future eDiscovery adversary from conducting a so-called fishing expedition through the records. However, I argue that the advantages of generous record retention outweigh the risk of a fishing expedition.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.